Bump node-fetch to 2.6.7 to resolve security issue

[roberttaylor426]

See here and here.

Addresses #202.

[gthrm]

@matthew-andrews Hi! Please merge this PR. It's very important for some packages, which depends on this

[scalixte-mdsol]

How soon until this PR get merged? Does this update also require a version?

[scalixte-mdsol]

I look forward to this update.

[ryami333]

@matthew-andrews could you please comment on the status of this high-severity security issue?

[gcruchon]

Hey all... is this library still maintained?

With 6.6M download each week, I hoped so... but I don't see any PR not release for 1.5 year... Is there still a hope?

cc @Jxck

[roberttaylor426]

@gcruchon I share your concerns.

FWIW due to the lack of response here I've since switched to cross-fetch as suggested in this project's README. Transition was straightforward.

[JCMartell]

@roberttaylor426 @matthew-andrews Any updates on if this PR will complete or not? We have nested dependencies (dependency of a dependency) that uses this package. This PR would resolve one of our security issue that we can't really fix otherwise.

[philc-homehub]

Good change. Let's merge!

[joshuaball]

Any ETA for this merge?

[knoxgon]

Year 2023 and still, the PR has not been merged... We're stuck with the security warning forever I guess...

[quanghuynh1502]

@matthew-andrews please merge

[matthew-andrews]

i dont understand why this is necessary. the semver should match the newer version … can someone help explain why it's necessary ?

https://jubianchi.github.io/semver-check/#/^2.6.1/2.6.7

[quanghuynh1502]

i dont understand why this is necessary. the semver should match the newer version … can someone help explain why it's necessary ?

https://jubianchi.github.io/semver-check/#/^2.6.1/2.6.7

Sorry if I made you confuse. All I need is a patch or minor version of isomorphic-fetch@2 due to some package that use the ^2.x.x version and we cannot upgrade it to use your isomorphic-fetch@3. Please let me know if it is valid.
Thanks

[matthew-andrews]

hmm, this pull request is not really going to help for v2 because version v2 relies on node-fetch v1.x.x/whatwg-fetch v0.x.x … the only change between v2 and v3 is this upgrade to use the later versions of node-fetch(v2.x.x)/whatwg-fetch(v3.x.x) so that doesn't really make sense.

is there a version of node-fetch from the v1.x.x that passes your security check? i guess not …

probably the more correct thing to do is upgrade to the v3 branch of isomorphic-fetch … and get fbjs to upgrade also.

[matthew-andrews]

just to prove this pull request is not necessary:

% mkdir test
% cd test
% echo {} > package.json
% npm install --save isomorphic-fetch

added 6 packages, and audited 7 packages in 577ms

found 0 vulnerabilities
% npm ls --all
test@ /Users/matthewandrews/repos/test
└─┬ isomorphic-fetch@3.0.0
  ├─┬ node-fetch@2.6.9
  │ ├── UNMET OPTIONAL DEPENDENCY encoding@^0.1.0
  │ └─┬ whatwg-url@5.0.0
  │   ├── tr46@0.0.3
  │   └── webidl-conversions@3.0.1
  └── whatwg-fetch@3.6.2

as you can see, npm will happily download v2.6.9 with the currently released version of isomorphic-fetch

[marck283]

NPM's node-fetch package versions until 3.2.10 are subject to a MaxListenersExceededWarning: Possible EventEmitter memory leak detected warning and to a Regular Expression Denial of Service bug. Therefore, I think that node-fetch should be upgraded to version 3.2.10 instead of 2.6.7, since the former is the earliest non-vulnerable version of that package.

[rjstanford]

as you can see, npm will happily download v2.6.9 with the currently released version of isomorphic-fetch

The issue is that some of us with legacy code to maintain cannot easily update our intermediate dependencies, which leaves us requiring a 2.x branch of isomorphic-fetch; if a point release of the 2.x version could be made that updated this dependency it would bring a lot of older applications up to more secure code.

[dejan-lukic]

@matthew-andrews you're right in saying that this PR will not resolve the issue at hand. @rjstanford is right; what needs to happen is we need a new v2.2.2 release of the isomorphic-fetch package on npm, where node-fetch is bumped up to at least v2.6.7.